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Disclaimer 





> This presentation provides guidance to authorized institutions (“Als”) on 
issues relating to the Anti-Money Laundering and Counter-Terrorist 
Financing (Financial Institutions) Ordinance (“AMLO”) and the AMLO 
Guideline. The presentation is provided for training purposes and does not 
form part of the formal legal and regulatory requirements of the HKMA. It 
should not be substituted for seeking detailed advice on any specific case 
from an Al’s own professional adviser. 


> The HKMA is the owner of the copyright and any other rights in the 
PowerPoint materials of this presentation. These materials may be used 
for personal viewing purposes or for use within an Al. Such materials may 
not be reproduced for or distributed to third parties, or used for commercial 
purposes, without the HKMA‘s prior written consent. 


> The cases or examples provided in this presentation might be prepared on 
the basis of synthesis of multiple cases, and certain relevant details might 
have been omitted. 


Characteristics of an Effective 
System 


> Risk assessment processes should be able to differentiate risks of 
Financial Institutions and DNFBPs; understand the nature and level 
of their money laundering and terrorist financing risks; allow Als to 
develop and apply AML/CFT policies (including group-wide policies), 
internal controls, and programmes to adequately mitigate those risks; 
apply appropriate CDD measures to identify and verify the identity of 
their customers (including the beneficial owners) and conduct 
ongoing monitoring; adequately detect and report suspicious 
transactions; and comply with other AML/CFT requirements. 


> This ultimately leads to a reduction in money laundering and terrorist 
financing activities within these entities. 





Guiding Principles of RBA 


> Risk differentiation 


> Risk assessment processes should be able to differentiate risks of 
individual customers within a particular segment or grouping 


> Proportionality 


> Als should apply proportionate risk mitigating and CDD measures 
based on the likely risk level of a customer 


> Not a “Zero Failure” regime 


> Als are not required to implement overly stringent CDD processes 
with a view to eliminating, ex-ante, all risks 





HKMA'’s circular on “De-risking and Financial Inclusion” dated 8 Sep 2016 


Risk-based Approach to CDD 


A risk-based approach helps the CDD process by 
determining the level of information required based on the 
results of customer risk assessment. However, it Is: 





> not implemented by some Als at all, and 


»> no discernible difference between CDD and EDD in some 
cases 


FAQs 


Q1: 

Is there any requirement to have a HK business address? Does the 
HKMA mandate any specific type of address proof for verifying 
business address? 





Al: 

> No. Business address can be in HK or overseas and the HKMA does 
not mandate any specific type of address proof for verifying business 
address. 

> Als should not apply requirements which will form a potential barrier, 
such as accepting only one form of address proof, in verifying the 
business address. 

> Als are expected to take reasonable measures to verify the business 
address of a customer. 


FAQs 


Q2: 


Does the corporate applicant need to provide a Hong Kong 
business registration certification (BRC) at the time of account 
opening? 





A2: 


> Depends on applicant - a BRC may not be applicable to every 
customer and some customers may therefore be unable to produce 
one. 


> Some overseas corporations may not be required to register under 
the Business Registration Ordinance. 

> Further information relating to business registration in Hong Kong 
may be obtained from IRD’s website. 


FAQs 


Q3: 
Are there any specific CDD requirements for start-ups and SMEs? 





A3: 


> No. HKMA requirements are generic to all corporates and 
comparatively high level in order to provide flexibility to Als to apply 
them to different types of customers. 
> Als should ensure that design and implementation of their CDD 
requirements reflect both the operation and profile of these 
companies. 
> MLROs play a key role 


FAQs 


Q4: 
Do Als need to establish source of wealth for every customer? 





A4: 


> No. The HKMA does not require Als to establish source of wealth for 
each and every customer. 


> Reference should be made to the HKMA's training materials in 
January 2016. 


FAQs 


Q5: 


Is it a requirement to have all directors and beneficial owners 
present at account opening? 





AÐ: 


> No. The presence of two or more, or all directors or beneficial owners 
at the time of account opening is not required by the HKMA. 


FAQs 


Q6: 


Are Als required to take additional CDD measures if a company is 
incorporated offshore or has foreign directors or beneficial 
owners? 





A6: 


> Al’s on-boarding process should recognise that offshore 
establishment and non-resident directors etc. are common profiles for 
many corporates seeking banking service in an IFC, like HK. 


> Applications for account opening should not be rejected merely 
because the customer is incorporated offshore or the beneficial 
owners or directors of a corporate customer are non-residents. 

> Als should understand the rationale why a particular type of business 
relationship is sought, taking into account the customer's business 
model or mode of operation. 


FAQs 


Q7: 


Do all documents have to be certified by a certifier, or one that is 
based in HK? 





A7: 


> No. Generally, where a customer is not physically present or unable 
to produce an original document, Als may consider accepting a copy 
of the identification document which is certified to be a true copy by a 
suitable certifier. 


> A list of suitable certifiers provided in the AMLO Guideline is non- 
exhaustive, allowing Als to accept other independent and reliable 
certifiers where appropriate to do so. 


> There is no requirement that a certifier must be physically present in 
HK. 


Feedback from Recent AML/CFT 
Examinations 


Customer Risk Assessment 





When assessing a customer’s ML/TF risk, Als should: 

> take a holistic view of the ML/TF risk factors they have 
identified 

> consider a range of risk factors, including country risk, 
customer risk, product / service risk and delivery / 
distribution channel risk 


Customer Risk Assessment 


When using risk scoring methodology with weighting on risk 
factors, Als should ensure: 


> weighting is not unduly influenced by one factor (e.g. 
nationality / place of incorporation) 


> weighting should not lead to a situation where it is 
impossible to be classified as high risk 

> an informed judgment about the relevance of different risk 
factors is made 

> automatically generated risk scores could be overridden 
where appropriate but rationale should be recorded 
properly 

> risk rating is not influenced by profit consideration 





Customer Risk Assessment 


When Als utilise scoring system from an external service 

provider to calculate risk scores for customers, Als should: 

> understand the system logic and how factors are 
combined to generate overall risk scores 


> ensure the system can cater for their business operations 
and risk profiles 


> be able to demonstrate that scoring reflects their 
understanding of the risks 





Customer Risk Assessment 


= af a A le m Va PA pa 
EXample — requires enhancement 


Bank A assessed risk at customer level using a scoring system 
purchased from an external service provider: 
The system used a range of risk factors with weighting to 
calculate the final risk scores and risk ratings of customers 
Excessive weighting was given to a single risk factor — assets 


under management (AUM) 

The system only considered a customer's nationality / place of 
incorporation to assign risk scores for country risk 

The system only offered a few options in the list of businesses 
to calculate scores on customer risk 








Resource Adequacy often Drives 
Effectiveness of Implementation 
> Known weaknesses should be clearly articulated 


> Is more always better? 
> More does not always mean more effective 


> Effectiveness is about risk mitigation 
»> Adequately and appropriately prioritised allocation of resources 
against key risks 
> Based on identification, assessment and understanding of risks 
> Should be at the heart of board’s actions and thinking 
> not “what does HKMA expect?” 
> See also “Putting risk-based in AML — The Road Ahead” 
dated 25 Sep 2015 on 
http://www.hkma.gov.hk/media/eng/doc/key- 
functions/banking-stability/aml-cft/HKIB_Speech.pdf 


“more” and “effectiveness” 


> The HKMA recognises that 


> reforms that would increase costs and a need for resources would 
NOT automatically increase effectiveness; and 


> an increase in resources is NOT always possible 





> Experienced MLROs / Compliance Officers have an 
important role to play in “adding value” but we do not 
always see: 
> a proactive role 
> the ability to apply resources and effort in the right spots 


»> must be prepared to demonstrate these qualities — should not 
spend whole time fire-fighting 


System Optimization — 
Transaction Screening 19 


Bank B's transaction screening system was ineffective: 
Inadequate coverage of designated parties database 
Lack of validation of system before implementation 
Ineffective matching algorithm (e.g. no fuzzy logic) 
Inappropriate threshold setting without assessment record (e.g. 


exceptionally high matching threshold of 99%) 

Inappropriate filtering rules 

System did not support the screening of Chinese commercial 
codes but no manual processes to address this shortcoming 





System Optimization — 
Transaction Monitoring 20 


Branch C’s transaction monitoring system was ineffective: 
e Adoption of the system from Head Office without validation 
before local implementation 
No adequate review of thresholds and parameters 
— Must take into account different local characteristics of business 


lines and customer types 
Adoption of inappropriate score deduction function in alerts 
generation 
Rely on Head Office to perform periodic review of the system 
(without considering the local context) 





Adverse Information Handling 


> Use of negative or adverse news as a source of financial 
intelligence aids customer screening and risk assessment 
purposes 


> Increasingly useful / important part of AML Model / means 
to identify higher risk activities or relationships 

> Can be applied before a relationship is established and 
periodically, on a risk-based approach, over the course of 
the relationship 


> Robust policies, procedures and oversight are essential 





Adverse Information Handling 


Example 
Bank D utilised an online screening tool to identify adverse 
information associated with the Bank’s customers but: 
Coverage lacking in some areas: cost consideration 
Lack of policies and procedures overseeing adverse 
information and handling adverse information alerts (e.g. 
review scope and completion timeframe) 
Insufficient documentation of justification in alert closure 
Lack of quality assurance check / compliance review on alert 
handling 


Al recognised the importance of adverse information and established 
this in its AML/CFT system, but effectiveness could be further 
enhanced 





Internal Audit 


> Effectiveness of Internal Audit Reviews 

> Frequency & scope of reviews must address Bank's risks 

> Findings of recent IA and compliance reviews on AML 
controls often do not drive change 


> Quality issues or information not discussed at sufficiently senior 
level 


> Inconsistency in implementation of remedial measures 


> Conclusion: not all Als’ approach of reviewing 
effectiveness of AML systems is comprehensive 





Guidance Papers 
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